This article explains how to set up and use the OpenId Connect Integration, so your organization can rely on Single Sign-On, using Ping Identity as the Identity Provider, and require employees to authenticate using your Ping Users directory.
In this article
- How to connect the OpenId Connect integration
- How to set up a new Ping application
- Troubleshooting OIDC Authentication Errors
How to connect the OpenId Connect integration
To set up SSO using the OIDC protocol, you need to connect to the OpenId Connect integration. Only organization admins are able to connect integrations on behalf of the organization.
Go to the App Store.
Look for OpenId Connect and click on it.
Now click on "Connect OpenId Connect", you'll enter the the integration set up. Keep this screen open, we'll need to get the values from Ping.
How to set up a new Ping application
To enable Deel to authenticate users via Ping using OIDC protocol, we'll need to create a new application, following these steps:
- Go to Ping admin dashboard
- Navigate to Applications > Applications, and click on the "+" button to create a new application.
- Enter the display name for the application, for example, "Deel", and select OIDC Web App option. Click "Save".
- Now copy the "Client ID" text and paste it in the corresponding field, in Deel's connection settings.
- Do the same for "Client Secret", copy the secret, and paste in Deel's settings.
- Now click on the "Configuration" tab, expand the "URLs" menu, and copy the "OIDC Discovery Endpoint" and past it in the "Well-Known URL" input, on Deel's settings, and click on "Connect & Go to Settings".
- You'll see the Single Sign-On configurations panel. Enter the name to identify the SSO method in your organization custom domain, and copy the Redirect URL.
- Go back to Ping, and click on the pencil button under the "Configuration" tab to edit the details for your OIDC application.
- Paste the redirect URL from Deel in the "Redirect URIs" field.
- In "Token Endpoint Authentication Method", select "Client Secret Post".
- Paste the redirect URL from Deel in the Initiate Login URL, and click "Save".
- Go to the "Resources" tab, and click on the pencil to edit the "Allowed Scopes". Select "Email" and click "Save".
- Go to the "Access" tab to edit the groups assignments to this application.
- Lastly, enable your application by clicking on the switch button on the top-right.
- Back to Deel's SSO configuration, click on "Enable" to enable SSO login.
Once enabled, your organization will require SSO for any employee to login.
To disable SSO at any given time, you just need to go back to this integration, and click on More > Disconnect.
Troubleshooting OIDC Authentication Errors
If you experience 400 authentication errors after OIDC is enabled, this typically indicates that the stored credentials (Client ID or Client Secret) are no longer valid or have been regenerated.
Re-entering OIDC Credentials
If authentication fails with a 400 error:
- In Deel, go to More > Apps and search for OpenID Connect.
- Click on the existing OpenID Connect integration.
- Click More › Edit Settings (or Manage).
- You will see the fields for Client ID, Client Secret, and Well-Known URL.
- In Ping Identity, generate new credentials if needed:
- Go to Applications and open your Deel OIDC application.
- Under the Configuration tab, locate Client Information.
- Regenerate the Client Secret if required.
- Copy the Client ID and new Client Secret.
- Return to Deel and paste the updated Client ID and Client Secret into the corresponding fields.
- Click Save or Update to apply the changes.
- Test authentication by logging out and attempting to log back in via SSO.
If 400 errors persist after re-entering credentials, verify in Ping that:
- The Redirect URI in Deel's integration settings matches the Redirect URIs configured in Ping's OIDC application.
- The service account has the correct permissions enabled.
- The OIDC Discovery Endpoint URL is still valid and accessible.